Hi Randy, Randy Grimshaw wrote:
you cannot have a legitimate network with only one address. you also need a network address (x.x.x.0) and a broadcast address (x.x.x.3) and two addresses for the communicating systems to use (x.x.x.1 and x.x.x.2) Mircosoft windows and other OS's also enforce this so a /32 isn't practical..... but... I understand your idea though, I needed to define several nearly duplicate rules for NET and IP hashes in our gateway application. Fortunately the cost is minimal compared to the overall efficiency gained by using IPset. (A fabulous tool that needs to become mainstream).
I understand networks, network addresses and broadcast addresses however it would be useful to be able to match against both IP addresses and networks with the one set. Why can't an IP address just be treated as a /32 "network"? The fact that you've had to work around te same limitation indicates that I'm not the only one who could benefit from something like this. Is there a technical reason why this isn't possible? On a side note, I agree that IPset is fabulous and should be part of mainline netfilter. It can greatly simplify otherwise complex firewall configurations. Menno Scanned by the NetBox from NetBox Blue (http://netboxblue.com/)
